Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26414

use-after-poison in Data Mainipulation

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Duplicate
    • 10.7
    • N/A
    • None
    • Linux version 5.13.0-1-MANJARO (builduser@LEGION) (gcc (GCC) 11.1.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Mon Jun 7 06:16:10 UTC 2021 x86_64

    Description

      PoC:
      CREATE TABLE v0 ( v1 NUMERIC NULL DEFAULT ( 'x' IN ( 'x' , CURRENT_USER ) ) ) ;
      INSERT INTO v0 VALUES ( v1 - BINARY COALESCE ( NULL , UPPER ( FALSE ) , 76 , STR_TO_DATE ( 'x' , 'x' ) ) ) ;
      OPTIMIZE TABLE v0 ;
      CHECK TABLE v0 EXTENDED ;
      SELECT DISTINCT 'x' FROM v0 LIMIT -128 ;
      INSERT INTO v0 SELECT 16 FROM DUAL UNION ALL SELECT 78093018.000000 FROM DUAL ;

      Log and Asan report:
      2021-08-16 14:41:38 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
      2021-08-16 14:41:38 0 [Note] InnoDB: Number of pools: 1
      2021-08-16 14:41:38 0 [Note] InnoDB: Using crc32 + pclmulqdq instructions
      2021-08-16 14:41:38 0 [Note] mysqld: O_TMPFILE is not supported on /tmp (disabling future attempts)
      2021-08-16 14:41:38 0 [Note] InnoDB: Using liburing
      2021-08-16 14:41:38 0 [Note] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728
      2021-08-16 14:41:38 0 [Note] InnoDB: Completed initialization of buffer pool
      2021-08-16 14:41:38 0 [Note] InnoDB: 128 rollback segments are active.
      2021-08-16 14:41:38 0 [Note] InnoDB: Creating shared tablespace for temporary tables
      2021-08-16 14:41:38 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
      2021-08-16 14:41:38 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
      2021-08-16 14:41:38 0 [Note] InnoDB: 10.7.0 started; log sequence number 42161; transaction id 14
      2021-08-16 14:41:38 0 [Note] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/mysql-default-data/ib_buffer_pool
      2021-08-16 14:41:38 0 [Note] Plugin 'FEEDBACK' is disabled.
      2021-08-16 14:41:38 0 [Note] InnoDB: Buffer pool(s) load completed at 210816 14:41:38
      2021-08-16 14:41:38 0 [Note] Server socket created on IP: '0.0.0.0'.
      2021-08-16 14:41:38 0 [Note] Server socket created on IP: '::'.
      2021-08-16 14:41:38 0 [Note] /usr/local/mysql/bin//mysqld: ready for connections.
      Version: '10.7.0-MariaDB' socket: '/tmp/0.socket' port: 3306 Source distribution
      2021-08-16 14:41:39 0 [Note] /usr/local/mysql/bin//mysqld (initiated by: root[root] @ localhost []): Normal shutdown
      2021-08-16 14:41:39 0 [Note] InnoDB: FTS optimize thread exiting.
      2021-08-16 14:41:39 0 [Note] InnoDB: Starting shutdown...
      2021-08-16 14:41:39 0 [Note] InnoDB: Dumping buffer pool(s) to /home/fuboat/mariadb-tmp/mysql-default-data/ib_buffer_pool
      2021-08-16 14:41:39 0 [Note] InnoDB: Buffer pool(s) dump completed at 210816 14:41:39
      2021-08-16 14:41:39 0 [Note] InnoDB: Removed temporary tablespace data file: "./ibtmp1"
      2021-08-16 14:41:39 0 [Note] InnoDB: Shutdown completed; log sequence number 42173; transaction id 15
      2021-08-16 14:41:39 0 [Note] /usr/local/mysql/bin//mysqld: Shutdown complete

      2021-08-16 15:36:14 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
      2021-08-16 15:36:14 0 [Note] InnoDB: Number of pools: 1
      2021-08-16 15:36:14 0 [Note] InnoDB: Using crc32 + pclmulqdq instructions
      2021-08-16 15:36:14 0 [Note] mysqld: O_TMPFILE is not supported on /tmp (disabling future attempts)
      2021-08-16 15:36:14 0 [Note] InnoDB: Using liburing
      2021-08-16 15:36:14 0 [Note] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728
      2021-08-16 15:36:14 0 [Note] InnoDB: Completed initialization of buffer pool
      2021-08-16 15:36:24 0 [Note] InnoDB: 128 rollback segments are active.
      2021-08-16 15:36:24 0 [Note] InnoDB: Creating shared tablespace for temporary tables
      2021-08-16 15:36:24 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
      2021-08-16 15:36:24 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
      2021-08-16 15:36:24 0 [Note] InnoDB: 10.7.0 started; log sequence number 42173; transaction id 14
      2021-08-16 15:36:24 0 [Note] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/14/ib_buffer_pool
      2021-08-16 15:36:24 0 [Note] Plugin 'FEEDBACK' is disabled.
      2021-08-16 15:36:24 0 [Note] Server socket created on IP: '0.0.0.0'.
      2021-08-16 15:36:24 0 [Note] Server socket created on IP: '::'.
      2021-08-16 15:36:24 0 [Note] InnoDB: Buffer pool(s) load completed at 210816 15:36:24
      2021-08-16 15:36:25 0 [Note] /usr/local/mysql/bin//mysqld: ready for connections.
      Version: '10.7.0-MariaDB' socket: '/tmp/14.socket' port: 10014 Source distribution
      =================================================================
      ==2027328==ERROR: AddressSanitizer: use-after-poison on address 0x6290000895d8 at pc 0x558dbe39c322 bp 0x7f2e6320e8f0 sp 0x7f2e6320e8e0
      READ of size 8 at 0x6290000895d8 thread T14
      #0 0x558dbe39c321 in Item_func_in::cleanup() /experiment/mariadb-server/sql/item_cmpfunc.h:2556
      #1 0x558dbededdbb in Item::cleanup_processor(void*) /experiment/mariadb-server/sql/item.cc:572
      #2 0x558dbededdbb in Item::cleanup_processor(void*) /experiment/mariadb-server/sql/item.cc:569
      #3 0x558dbe39e773 in Item_func_or_sum::walk(bool (Item::)(void), bool, void*) /experiment/mariadb-server/sql/item.h:5439
      #4 0x558dbe952d39 in fix_session_vcol_expr(THD*, Virtual_column_info*) /experiment/mariadb-server/sql/table.cc:3614
      #5 0x558dbe952d39 in fix_session_vcol_expr(THD*, Virtual_column_info*) /experiment/mariadb-server/sql/table.cc:3608
      #6 0x558dbe4c424e in TABLE::fix_vcol_exprs(THD*) /experiment/mariadb-server/sql/sql_base.cc:5434
      #7 0x558dbe4c424e in TABLE::fix_vcol_exprs(THD*) /experiment/mariadb-server/sql/sql_base.cc:5426
      #8 0x558dbe4c4f92 in fix_all_session_vcol_exprs /experiment/mariadb-server/sql/sql_base.cc:5465
      #9 0x558dbe4c4f92 in lock_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /experiment/mariadb-server/sql/sql_base.cc:5649
      #10 0x558dbe4c97ff in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /experiment/mariadb-server/sql/sql_base.cc:5261
      #11 0x558dbea323f8 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /experiment/mariadb-server/sql/sql_base.h:509
      #12 0x558dbea323f8 in open_only_one_table /experiment/mariadb-server/sql/sql_admin.cc:419
      #13 0x558dbea36875 in mysql_admin_table /experiment/mariadb-server/sql/sql_admin.cc:635
      #14 0x558dbea3d235 in Sql_cmd_optimize_table::execute(THD*) /experiment/mariadb-server/sql/sql_admin.cc:1542
      #15 0x558dbe63817f in mysql_execute_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:5997
      #16 0x558dbe6455a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8030
      #17 0x558dbe64b60b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896
      #18 0x558dbe65073c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404
      #19 0x558dbea0be56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418
      #20 0x558dbea0c33c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
      #21 0x558dbf49cc2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
      #22 0x7f2e87e24258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
      #23 0x7f2e879cf5e2 in _GI__clone (/usr/lib/libc.so.6+0xfe5e2)

      0x6290000895d8 is located 9176 bytes inside of 16400-byte region [0x629000087200,0x62900008b210)
      allocated by thread T14 here:
      #0 0x7f2e884b6279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
      #1 0x558dbfdcf9a8 in my_malloc /experiment/mariadb-server/mysys/my_malloc.c:90
      #2 0x558dbfdbbe40 in reset_root_defaults /experiment/mariadb-server/mysys/my_alloc.c:243
      #3 0x558dbe4fd1b8 in THD::init_for_queries() /experiment/mariadb-server/sql/sql_class.cc:1405
      #4 0x558dbea09d51 in prepare_new_connection_state(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1240
      #5 0x558dbea0a65f in thd_prepare_connection(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1333
      #6 0x558dbea0a65f in thd_prepare_connection(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1322
      #7 0x558dbea0be0a in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1408
      #8 0x558dbea0c33c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
      #9 0x558dbf49cc2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
      #10 0x7f2e87e24258 in start_thread (/usr/lib/libpthread.so.0+0x9258)

      Thread T14 created by T0 here:
      #0 0x7f2e88457fa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
      #1 0x558dbf49cea9 in my_thread_create /experiment/mariadb-server/storage/perfschema/my_thread.h:48
      #2 0x558dbf49cea9 in pfs_spawn_thread_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252
      #3 0x558dbe30db3c in inline_mysql_thread_create /experiment/mariadb-server/include/mysql/psi/mysql_thread.h:1139
      #4 0x558dbe30db3c in create_thread_to_handle_connection(CONNECT*) /experiment/mariadb-server/sql/mysqld.cc:5934
      #5 0x558dbe3197b6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /experiment/mariadb-server/sql/mysqld.cc:6055
      #6 0x558dbe31a36f in handle_connections_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179
      #7 0x558dbe31da52 in mysqld_main(int, char**) /experiment/mariadb-server/sql/mysqld.cc:5829
      #8 0x7f2e878f8b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

      SUMMARY: AddressSanitizer: use-after-poison /experiment/mariadb-server/sql/item_cmpfunc.h:2556 in Item_func_in::cleanup()
      Shadow bytes around the buggy address:
      0x0c5280009260: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      0x0c5280009270: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      0x0c5280009280: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      0x0c5280009290: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      0x0c52800092a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      =>0x0c52800092b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7
      0x0c52800092c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      0x0c52800092d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      0x0c52800092e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      0x0c52800092f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      0x0c5280009300: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable: 00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone: fa
      Freed heap region: fd
      Stack left redzone: f1
      Stack mid redzone: f2
      Stack right redzone: f3
      Stack after return: f5
      Stack use after scope: f8
      Global redzone: f9
      Global init order: f6
      Poisoned by user: f7
      Container overflow: fc
      Array cookie: ac
      Intra object redzone: bb
      ASan internal: fe
      Left alloca redzone: ca
      Right alloca redzone: cb
      Shadow gap: cc
      ==2027328==ABORTING
      GNU gdb (GDB) 10.2
      Copyright (C) 2021 Free Software Foundation, Inc.
      License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
      Type "show copying" and "show warranty" for details.
      This GDB was configured as "x86_64-pc-linux-gnu".
      Type "show configuration" for configuration details.
      For bug reporting instructions, please see:
      <https://www.gnu.org/software/gdb/bugs/>.
      Find the GDB manual and other documentation resources online at:
      <http://www.gnu.org/software/gdb/documentation/>.

      For help, type "help".
      Type "apropos word" to search for commands related to "word"...
      Reading symbols from /usr/local/mysql/bin//mysqld...
      (gdb) (gdb) (gdb) quit

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              Zhiyong Zhiyong Wu
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.